[ci skip]

Install lsb-release for repo URL construction

See merge request gitlab/gitlabhq!3592

This reverts commit e29a2ba5.

This reverts commit dda1b34c.

[ci skip]

This reverts commit 426287d2.

This reverts commit fb3833cd.

[ci skip]

Backport reliable fetcher to 12.2

See merge request gitlab/gitlabhq!3585

backport https://gitlab.com/gitlab-org/gitlab/commit/2be136b6cdf59f4664d9fbbe91e16498a47ba227
see https://gitlab.com/gitlab-org/gitlab/commit/3baeb0c7fd6829b8c083a43370163d16f7700263
see https://gitlab.com/gitlab-org/gitlab/merge_requests/21161

[ci skip]

Return 404 on LFS request if project doesn't exist

See merge request gitlab/gitlabhq!3508

Only assign merge params when allowed

See merge request gitlab/gitlabhq!3460

Nested GraphQL query with circular relationship can cause Denial of Service

See merge request gitlab/gitlabhq!3385

Improper access control allows the attacker to comment in internal commit after they are no longer admin

See merge request gitlab/gitlabhq!3392

Improper access control allows the attacker to comment in internal commit after they are no longer admin

Merge branch 'security-2914-labels-visible-despite-no-access-to-issues-repositories-12-2' into '12-2-stable'

Labels visible despite no access to issues & repositories

See merge request gitlab/gitlabhq!3431

Project path reveals labels from Private project if the issue is moved to public project

See merge request gitlab/gitlabhq!3445

Merge branch 'security-ag-hide-private-members-in-project-member-autocomplete-12-2' into '12-2-stable'

Hide private members in project member autocomplete

See merge request gitlab/gitlabhq!3448

Private/internal repository enumeration via bruteforce on a vulnerable URL

See merge request gitlab/gitlabhq!3456

Mask sentry auth token

See merge request gitlab/gitlabhq!3464

Sanitize search text to prevent XSS

See merge request gitlab/gitlabhq!3470

Require Maintainer permission on group where project is transferred to

See merge request gitlab/gitlabhq!3473

Use the '\A' and '\z' regex anchors in `InternalRedirect` to mitigate an Open Redirect issue.

See merge request gitlab/gitlabhq!3476

Pass all wiki markup formats through our Banzai pipeline filters

See merge request gitlab/gitlabhq!3479

Handle Stored XSS for Grafana URL in settings

See merge request gitlab/gitlabhq!3481

- Extend Gitlab::UrlBlocker to allow relative urls (require_absolute
  setting).  The new `require_absolute` setting defaults to true,
  which is the existing behavior.

- Extend AddressableUrlValidator to accept `require_abosolute` and
  default to the existing behavior

- Add validation for ApplicationSetting#grafana_url to validate that
  the URL does not contain XSS but can be a valid relative or absolute
  url.

- In the case of existing stored URLs, validate the stored URL does
  not contain XSS. If the stored URL contains stored XSS or is an
  otherwise invalid URL, return the default database column value.

- Add tests for Gitlab::UrlBlocker to test require_absolute setting

- Add tests for AddressableUrlValidator

- Add tests for ApplicationSetting#grafana_url

Filter out search results based on permissions to avoid bugs leaking data

See merge request gitlab/gitlabhq!3494

When a user updates a merge request coming from a fork, they should
not be able to set `force_remove_source_branch` if they cannot push
code to the source project.

Otherwise developers of the target project could remove the source
branch of the source project by setting this flag through the API.